Sync target upgrade blocked by security app

Operating system

Windows

Joplin version

2.12.19

Desktop version info

2.12.19

Sync target

Joplin Cloud

What issue do you have?

Joplin is attempting a "sync target upgrade" but local security software (ZScaler) is blocking that process.

Any thoughts as to how to perform the upgrade i some other fashion, so that sync can occur?

1 Like

ZScaler uses HTTPS MITM ( Company rolls their own certificate authority into the storage and then rewrites all HTTPS connections so they can decrypt the traffic and inspect it ).

What's possibly going on is that Joplin is ignoring the unknown company cert and refusing to connect.

I think there's an option to disable certificate checking in the sync target that will probably sort you out. There's not much to lose in trying as, ZScaler by it's nature defeats the client being able to know if the remote is actually who they claim to be, since every server would appear to be your own company anyway. E2E shouldn't be effected by disabling the checking however since the encryption is done on the client, so the best the ZScaler middleware see's for the Joplin data itself is still going to be encrypted (And given it's likely a company device, they already have admin on your machine so there has to be a level of trust anyway, given they could just remotely grab the raw data if they really wanted to)

(Mind, if I'm wrong and disabling the checks doesn't help, may as well turn the checks back on just incase! ZScaler doesn't have to be always running in VPN mode, so there could be times when you're not connected that normal certs work)

@mmckech In my company ZScaler is in use too. So please post here, whether you are able to connect finally.

Background: AFAIK ZScaler mostly blocks a connection because the connected site/server (here joplin cloud) is not trusted. In my company you can a ask for whitelisting a service, although that would only appear appropriate to me for work-related reasons (which joplin for me is not). But this might be an option for you - if needed.
In any way your issue is interesting, because Iā€™m not yet using joplin cloud, but thought about it several times.

Thanks for the ideas. I confirmed in the response HTML that ZScaler was blocking my connection attempt due to the target host, not due to the fact that ZScaler's cert is from an untrusted CA. That was a good idea; thanks @james-carroll .

Since I know my company won't approve a new connection to that host I simply switched to syncthing - as long as I don't connect to VPN, I can sync fine.

You can also try Joplin > Options > Synchronization > Advanced then check ignore TLS errors.